Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities.
Here are our top picks!
🔍 Highlights
RCE Vulnerability in PAN-OS
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability chain (CVE-2024-0012, CVE-2024-9474) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authentication, obtain administrator privileges, and perform administrative actions. Exploitation has been observed since November 17, 2024.
Learn more in our blog.
🐞 High Profile Vulnerabilities
Critical Vulnerability in Spring WebFlux
A critical vulnerability, CVE-2024-38821, was identified in Spring WebFlux applications. This vulnerability allows unauthorized access to restricted static resources under specific configurations. It occurs when WebFlux applications use Spring’s static resources support with non-permitAll authorization rules, enabling attackers to bypass security filters and gain access by manipulating URLs. The affected versions include Spring Security 5.7.x to 6.3.x, and users are advised to upgrade to patched versions.
According to Wiz data, less than 63% of cloud environments have resources vulnerable to CVE-2024-38821.
Learn more here.
Vulnerabilities in Deprecated AWS ALB Middleware for ASP.NET Core
CVE-2024-8901 and CVE-2024-10125 are vulnerabilities in AWS's ALB adapters for Istio and ASP.NET Core, respectively, which lack proper validation for JWT issuer and signer identity. These issues allow an untrusted attacker to exploit unverified JWTs, posing risks of unauthorized access in configurations where ALB targets are directly exposed to the internet. Both repositories are deprecated and no longer supported. To mitigate, ensure ALBs lack public IPs and confirm that JWT signer attributes match the Application Load Balancer ARN in derived code.
Learn more here.
Vulnerabilities in Ollama AI Infrastructure Project
Recent research uncovered high severity vulnerabilities in the open-source AI framework Ollama, commonly used for deploying large language models (LLMs). These flaws (CVE-2024-39719, CVE-2024-39720, CVE-2024-39721, CVE-2024-39722) allow attackers to perform various malicious actions with a single HTTP request, including denial of service (DoS), model poisoning, and model theft.
According to Wiz data, less than 3% of cloud environments have resources vulnerable to these CVEs.
Learn more here.
Vulnerabilities in Citrix Virtual Apps and Desktops Chained for RCE
Recent research uncovered multiple vulnerabilities in Citrix Virtual Apps and Desktops, notably within its Session Recording feature, which could allow unauthenticated remote code execution (RCE) and privilege escalation. The vulnerabilities stem from the use of an insecure BinaryFormatter in message serialization via Microsoft Message Queuing (MSMQ), which is configured with overly permissive permissions. This configuration, combined with MSMQ’s HTTP accessibility, enables attackers to exploit RCE without authentication. Citrix has since addressed these issues in recent patches for specific versions, assigning the vulnerabilities CVE-2024-8068 and CVE-2024-8069.
According to Wiz data, less than 12% of cloud environments have resources vulnerable to these CVEs.
Learn more here.
🔒 Security Incidents & Campaigns
Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
In May 2024, researchers observed an attack by the Silent Skimmer threat actor, targeting a multinational organization’s payment infrastructure. This attack exploited known vulnerabilities in Telerik UI to gain unauthorized access and deploy various malicious tools, including web shells, reverse proxies, and reverse shells. Silent Skimmer primarily targeted payment gateways and databases to extract sensitive financial data.
Learn more here.
Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments
Researchers at CloudSEK’s Threat Research team identified major developments in the Androxgh0st toolkit, expanding its arsenal of vulnerabilities, and noticed a potential operational integration with the Mozi botnet. First observed in early 2024, Androxgh0st integrates Mozi’s attack patterns, targeting systems such as Cisco ASA, Atlassian JIRA, and PHP frameworks through tactics like remote code execution and credential theft. It is recommended to search your environment for indicators of compromise.
Learn more here.
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Researchers discovered a new campaign by Earth Kasha, a threat group targeting Japan, Taiwan, and India since 2019, with connections to the broader APT10 umbrella. This recent campaign, beginning in 2023, employs updated TTPs, including exploiting vulnerabilities like CVE-2023-27997 (FortiOS/FortiProxy) for initial access. Earth Kasha uses a combination of malware, such as LODEINFO, NOOPDOOR, and MirrorStealer, to achieve persistence, steal credentials, and exfiltrate sensitive data. The group’s activities demonstrate overlaps with campaigns by other China-linked actors like Earth Tengshe and Volt Typhoon, suggesting potential 0-day sharing or third-party access brokers.
Learn more here.
EMERALDWHALE Attacks Targeting Exposed Git Config Files
Research uncovered an operation named EMERALDWHALE that compromised over 15,000 cloud service credentials by exploiting exposed Git configurations and other misconfigured web services. The attack aimed to steal credentials from private Git repositories and cloud environments, storing them in a publicly accessible S3 bucket from a previous victim. EMERALDWHALE targeted credentials for major cloud service providers, email providers, and various other services, aiming primarily to facilitate phishing and spam campaigns.
Learn more here.
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.